CVE-2026-15062

Snowflake · Snowpark Python SDK

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK allow authenticated low-privilege users to execute unauthorized SQL queries and potentially exfiltrate data.

Executive summary

Authenticated low-privilege users can exploit SQL injection flaws in the Snowflake Snowpark Python SDK to escalate privileges and access unauthorized data.

Vulnerability

The SDK fails to properly neutralize SQL syntax in several methods, including DataFrameReader.dbapi() and DataFrame.to_csv(). By injecting crafted payloads into column names or file paths, an authenticated user can manipulate SQL execution flow to bypass authorization scopes.

Business impact

This vulnerability allows authenticated users to perform actions exceeding their intended permissions, including cross-tenant data exfiltration and unauthorized reading of sensitive account data. With a CVSS score of 9.6, the risk of significant data breach and violation of regulatory compliance standards is extremely high for organizations relying on Snowflake for data processing.

Remediation

Immediate Action: Update the Snowpark Python SDK to version 1.53.0 or higher across all development and production environments.

Proactive Monitoring: Audit database query logs for unusual access patterns or SQL commands originating from the Snowpark SDK that deviate from expected application behavior.

Compensating Controls: Implement strict database-level role-based access controls (RBAC) to limit the impact of a compromised session, ensuring the service account used by the SDK has the minimum required permissions.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Organizations utilizing the Snowflake Snowpark Python SDK should treat this as a critical update. Given the risk of data exfiltration, ensure that all instances are patched and review IAM policies to enforce the principle of least privilege.